Evaluating user-defined conditions
abigail at abigail.be
Tue Jun 10 10:37:56 BST 2014
On Tue, Jun 10, 2014 at 09:26:17AM +0100, Andrew Beverley wrote:
> On Tue, 2014-06-10 at 09:20 +0200, Abigail wrote:
> > > # Sanitise
> > > $_ = $code;
> > > return unless /^[ \S]+$/; # Only allow normal spaces
> > > return if /[\[\]]+/; # No brackets should remain
> > > return if /\\/; # No escapes please
> > > s/"[^"]+"//g; # Remove quoted strings
> > > m!^([-()*+/0-9<> ]|&&|eq)+$! or return; # Allowed expression chars
> > So, you excluding having any alpha char (except 'eq') in the resulting
> > expression? Because that's what the last line does. Perhaps that's your
> > intention, because I've no idea what $value is going to be, other than
> > "it could be a string in quotes".
> Yes, $value is either an integer or a string in quotes. The 2 lines
> previous to the last line should remove any string in quotes, therefore
> just leaving operators and integers?
So, your loop replaces [$var] with a string in quotes, only for s/"[^"]+"//g;
to remove it? I'm a bit confused what purpose that serves.
> > Now, if you do allow for alpha characters to be present, you have to make
> > sure things like "system qw xrm -rf foox" are filtered out. (As you can see,
> > the "remove quoted strings" isn't much of a filter -- q, qq, qw, qx, qr, s, m,
> > and y can take any delimiter).
> I'm happy to be restrictive to the user, and only allow straightforward
> strings in double quotes. So anything else is removed or not allowed,
> and the strings in quotes are checked as above.
I don't see any check for strings in quotes -- they're removed. Do note
though that if a user inputs a string that starts with a ", and doesn't
use " elsewhere, the s/"[^"]+"//g; doesn't strip the [$var] replacements,
it will keep them as is, stripping the rest. And you'll be left with a
single " in the string -- which fails the last test.
> I would not be surprised if I've missed something though!
Considering that you want to be really restrictive, a parser is going to
be quite simple. Why not just write a parser instead of hoping you've
catched anything potentially bad?
More information about the london.pm